Researchers: APT Group Hired for Corporate Espionage Campaign
A hack-for-hire campaign targeting an “international architectural and video production company” serving high-end real estate ventures likely involved corporate espionage driven by a developer eager for insider data, according to an analysis from security firm Bitdefender.
See Also: 2020 Cyberthreat Defense Report
The campaign, which Bitdefender attributed to an advanced persistent threat group that it calls “StrongPity,” used a malicious version of Autodesk 3ds Max – graphic designing software used to make 3D models, the researchers say.
Due to the highly targeted nature of the attack, the researchers suspect that StrongPity was hired by a real estate developer to obtain sensitive information on a rival’s project, according to the report.
“Real estate investors involved in multi-billion-dollar contracts seek these [hacking for hire] services to spy on their competition by infiltrating their contractors,” according to the Bitdefender report. “Since the real estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects and could justify turning to mercenary APT groups for gaining a negotiation advantage.”
The unnamed targeted firm was involved in production work for billion-dollar real estate projects in New York, London, Australia and Oman, according to the report.
Cyber espionage by APT groups offering hackers for hire “is beginning to be a new trend that we’re likely to see more of,” Liviu Arsene, a researcher with Bitdefender, tells Information Security Media Group. “As cybercriminal groups are becoming more sophisticated and act more like mercenaries, it’s likely they will continue making their services available to the highest bidders. This new APT-as-a-service business model seems to be the next evolutionary step in sophisticated attacks.”
On Monday, security firm Kaspersky released a report about a hack-for-hire group called “DeathStalker” that’s been targeting law firms and smaller financial organizations for several years (see: Hacking-for-Hire Group Expands Cyber Espionage Campaign).
In the campaign targeting the production firm, Bitdefender found that the hackers took advantage of a vulnerability in the Autodesk 3ds Max software. By exploiting the bug, known as “PhysXPluginMfx,” hackers can corrupt the application and allow a threat actor to run malicious code and propagate to others files, according to the report.
Autodesk has warned about this particular flaw and has published a patch.
If a malicious script is downloaded to a compromised device, hackers can then deliver other payloads, such as a backdoor, to connect to a command-and-control server, according to the Bitdefender report.
In addition to the command-and-control infrastructure, the malware downloads another script for collecting data, including the name of the compromised device as well as user credentials. The malicious code then encrypts the information before sending it to the C&C server, according to the report.
Then, the malware deploys additional code capable of taking screenshots and collecting passwords and user history from the Chrome browser database, the researchers say. The malicious code then loads an information stealer to collect storage details, system and network data and access files.
Origins of StrongPity
StrongPity, which has been active since 2016, has previously been linked to espionage campaigns that targeted the Kurdish community as well as the Turkish military, Bitdefender notes.
A July report by AT&T Cybersecurity found another StrongPity campaign that used a malicious version of WinBox router management software to target victims.
In the cyber espionage campaign that Bitfender examined, the researchers found that the command-and-control infrastructure used to communicate with the malware was located in South Korea. But Arsene notes that it’s difficult to pinpoint a country where this group might have its operations.
“Usually members are often scattered across multiple countries and even continents,” Arsene says. “While some APT groups might be state-sponsored, hence making attribution a lot easier, with mercenary APT groups, they could be located anywhere in the world and operate globally.”
In May, Google’s Threat Analysis Group reported that hack-for-hire groups operating in India spoofed World Health Organization emails to steal credentials from employees at financial services, consulting and healthcare firms around the world (see: ‘Hack for Hire’ Groups Spoof WHO Emails to Steal Data).